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THE GROUP GENERATED BY 
THE ROUND EUNCTIONS OF 
A GOST-LIKE CIPHER 

R. ARAGONA, A. CARANTI, AND M. SALA 


Abstract. We define a cipher that is an extension of GOST, and study the 
permutation group generated by its round functions. We show that, under min¬ 
imal assumptions on the components of the cipher, this group is the alternating 
group on the plaintext space. This we do by first showing that the group is 
primitive, and then applying the O’Nan-Scott classification of primitive groups. 


1. Introduction 

When DES was about to be broken by brute force, and Triple DES was intro¬ 
duced as a replacement, Kaliski, Rivest and Sherman considered in |KRS88] the 
question, whether DES (that is, the set of transformations it defines) is a group. 
Had this been the case. Triple DES would have been no different from DES. They 
gave evidence for the fact that DES was indeed not a group, and also showed 
that if the group generated by a cipher is too small, then certain attacks based 
on the birthday paradox are possible. Note, however, that Murphy, Paterson and 
Wild |MPW94] have constructed a weak cipher that generates the whole symmet¬ 
ric group — therefore the latter requirement alone is not enough to guarantee the 
strength of the cipher. 

Coppersmith and Grossman defined a set of functions which can be adapted 
for constructing a block cipher, and studied the permutation group generated 
by them |CG75] . Even and Goldreich defined certain DES-like functions, and 
proved that the permutation group generated by these functions is the alternating 
group |EG83] . Wernsdorf later showed that the group generated by the round func¬ 
tions of DES is the alternating group |Wer93) . and Sparr and Wernsdorf showed 
that the same holds for KASUMI |SW15| and AES |SW08] . Since the group gener¬ 
ated by a cipher (with independent round keys) is a normal subgroup of the group 
generated by the round functions, and the alternating group is a simple group, it 
follows that the former group is also alternating. 
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In |CDVS09bl ICDVSOQ^ lACDVSiS] another approach to these questions was 
taken, in that one first shows that the group generated by the round functions of 
an AES-like cipher is a primitive permutation group, provided the S-boxes satisfy 
some cryptographic assumptions, such as being weakly APN functions. This shows 
that the cipher has no imprimitivity trapdoor |Pat99| . And then the O’Nan-Scott 
classihcation of hnite primitive groups |LPS88[ ILiO.S] is used to show that the 
group must be alternating or symmetric. In this paper we apply this point of 
view to an extension of the cipher GOST 28147-89 |DollO] . or GOST for short, 
and show that its round functions generate the alternating group. It might be 
noted that we require only minimal assumptions on the components of this cipher, 
basically only that the S-boxes are bijective, and that the rotation has the “right” 
extent. This appears to indicate that the Feistel structure plays an important role 
in guaranteeing that the group is large. 

Oliynykov considered in |01ill] ciphertext-only attacks on Feistel networks, and 
proved that the use of secret, non-bijective S-boxes allows for the introduction of 
trapdoors. In particular, the author applied his results to GOST. 

In Section [2] we describe GOST. In Section |3] we introduce our extension of 
GOST. In Section m we show that the group generated by the round functions of 
this GOST-like cipher is primitive. In SectionOwe analyse the cases in the O’Nan- 
Scott classihcation, to conclude that the group generated by the round functions 
of our GOST-like cipher is the alternating group. 


2. The group generated by the round functions of GOST 

Gonsider the set 17° = F2, for some n > 1 . (Here F2 is the held with two 
elements, and see Remark 12.41 for the actual values in GOST of this, and the other 
parameters we are going to introduce in the following.) We consider two group 
structures on I/°. The hrst operation is the bitwise sum (XOR), which will be 
denoted by -|-. The bitwise sum makes 17° into a vector space over F 2 . 

The second operation, denoted by ffl, is the sum modulo 2”. That is, we represent 
a, 6 G 17° as 

a = (oo, Oi,..., a„_i), b = {Bq, 61,..., bn-i), 
with ai,bi e {0,1} integers, and let 

affl6= (co,Ci,... ,c„_i), 

where 

(do + -l- 022^ -|- • • • -|- cin-i2” -|- (60 T bi2 622 ^ 6n-i2”' = 

= cq-\- Ci2 -|- C 22 ^ -|- • • • -|- Cn—i2^ ^ (mod 2”), 

with Q G { 0,1 } integers. (Here -|- denotes the ordinary sum of integers.) There¬ 
fore 17° under ffl is the same thing as the group 7 ^ 2 ^ of integers modulo 2”', and 
we will denote it by { 1 ^ 2 ^-, ffl). We use Ba to indicate the opposite of a G 17° with 
respect to B. 
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We record a few elementary facts that we will be using repeatedly without 
further mention. 

Lemma 2.1. 

• The subgroups of {1^2”, H) linearly ordered; they are the (2^), for 0 < 
q <n. 

• The endomorphisms of (^ 2 ^,®) are of the form x ^ zx, where z is an 
integer, 0 < z < 2”. Such a map is an automorphism if and only if z is 
odd. 

• Every subgroup 0 /(^ 2 ", ffl) is fully invariant (that is, it is sent into itself by 
any endomorphism of {7^2^, H) ) o,nd thus characteristic (that is, it is sent 
onto itself by any automorphism of {7,2^, ffl )). 

• The element 

2-1 = ( 0 , 0 ,..., 0 , 1 ) 

is the only involution (that is, element of order 2) o/(Z 2 ~,ffl). Therefore 
2 ”'“! is fixed by any automorphism of (^ 2 ^, ffl), and it is sent to zero by any 
endomorphism which is not an automorphism. 

In GOST 28147-89 |DollO| the plaintext space is G = , where V^, are 

two copies of V^, and the key space JC is another copy of V^. Clearly V inherits 
both group structures componentwise from V^,V^. 

Definition 2.2. When considering a subset of W, for i = 0,1, 2, we will call it 

• a subspace if it is a subgroup (and thus a vector subspace) of (F 2 , -I-), and 

• a ffl-subgroup, or simply a subgroup, if it is a subgroup of (Zi 2 n, ffl). 

This terminology can be extended to the subsets ofV. 

Definition 2.3. ITe will consider W, for i = 0,1, 2, as the Cartesian product 
(2.1) = Vl X ■■■ xVi = V( \\ ■■■ \\Vi 

of 6 > 1 subspaces Vf, all of the same dimension m > 1. (Here || denotes con¬ 
catenation of strings.) 

An element 7 of the symmetric group Sym(G*) on G* is called a bricklayer 
transformation with respect to dZB if it preserves the direct product decomposition, 
that is, if there are S-boxes 7 j G Sym(V)*) such that, writing v ^ as 

V = (ui, • • • ,U5), 

with Vj &Vf, we have 

vj = (ui 7 i, • • • ,^575). 

ITe will refer to each VJ as a brick. 

Let S = 'jR G Sym(L*), where 7 G Sym(L*) is a bricklayer transformation and 
R is the right rotation by r bits (we refer to r as the extent of the rotation), with 
m < r < {S — l)m, that is 

(UQ) ■ ■ ■ ) (^n—l)R ifln—r: • • • i 1) ®05 • • • i ®n—i—l)- 
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Remark 2.4. In the case of GOST, the actual values of the parameters are: n = 
32, m = 4, 5 = 8 and r = 11. 

For {ki, ^ 2 ) & V = V^ consider the ffl-translation on V by (ki, ^ 2 ) 

PGiM) ■ X ^2 —> Vi X V2 

{xi,X2) I—)■ (xi ffl/ci,a;2 ffl ^ 2 ). 

We now introduce a formal 2n x 2n matrix, which implements the Feistel struc¬ 
ture, 

(2.2) ? S • 

where 0 and 1 are nxn matrices. This acts (on the right) on (a:i, X 2 ) & V = V^xV‘^ 
by 

(2.3) {Xi,X 2 )T. = {X 2 .,XI +X 2 S). 

Note that S has the formal inverse matrix 

V-l = 

[1 0 • 

A round function of GOST with respect to the round key fc G /C can now be 
described as 

(2.4) Tk = P(0,fc) ^P(Bfc,0)- 

(As we let permutations act on the right, this is a left-to-right composition.) In 
fact 

{xi,X 2 )Tk = (Xi, X 2 ) P{0,fe) S P(BA:,0) 

= {Xi,X2 ffl k)Tp(ukp) 

= {x2 ffl A;, a;i + ( 2:2 ffl k)S) p(Hk,o) 

= {x2,xi -f ( 2:2 ffl k)S). 

Thus the group generated by the round functions of GOST is 

G = {Tk : k e K.). 

3. A LARGER GROUP 

In our notation, in an actual GOST round fl2.4p the key addition (ffl-translation) 
preceding S, and that following S, are related: the first one acts only on 1/^, the 
second one only on V^, and the extents of the two translations are one the ffl- 
opposite of the other. In this paper we will be studying a GOST-like system in 
which a round generalizes the one of GOST: we allow to ffl-sum two arbitrary 
(unrelated) pairs of keys before and after applying the Feistel transformation S. 
So in our cipher the plaintext V is the same as that of GOST, while the key space 
is R = /C X JC = V, and a round takes the form 
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(3.1) Pk^Ph, 

with k,h eH. Such a round operates on (xi, X 2 ) E V = x V'^ hy 
(Xi, X2) pkT,ph = {xi ffl fci, X 2 ffl ^2) S ph 

= {x2 ffl A;2, xiSki + {x2 ffl k2)S) ph 

= {X2 ffl /C2 ffl hi, {xi ffl fci + {X2 ffl k2)S) ffl h2), 

where ki,hi G V^. 

The corresponding group will thus be 

T = {pkT. Ph'. k,h eU) 

Clearly our group T contains the group Q generated by the round functions of 
GOST. 

We collect a couple of elementary observations. 

(1) S G T. This follows from setting = h = 0 in fl3.ip . 

(2) For all k E H, we have that pk E T. It suffices to set h = 0 in (13.ip and 

then note that pk = is in T, as both factors are. 

Therefore 

(3.2) r = {r,s), 

where 

T = [pk-k eU} 

is the group of ffl-translations on V. In particular, T acts transitively on V, 

We now state our main result. 

Theorem 3.1. Let n = 5m, with 6 > 4 and m >2. Consider the ¥ 2 -vector spaces 
I/* = F 2 , for i = 1,2, and V = x V^, under the operation +. For i = 1,2, 
write 

(3.3) W = I// X • • • X Vf, 

where each Vf is a subspace of dimension m over F 2 . 

Let ffl he the operation on G*, V defined in the previous Section, so that each 
(I/*, ffl) is cyclic, of order 2 ”'. Let T be the group of '^-translations pk '■ x ^ x'^k 
on V, for k eV . 

Consider 

(1) A bricklayer transformation 7 with respect to (13.3p . 

(2) The right rotation R by r bits on W. 

(3) S = yR. 

(4) The formal matrix 

0 l' 







6 


R. ARAGONA, A. CARANTI, AND M. SALA 


which operates onV = V^ by 

{ Xi , X2 )'^ = { X2 , Xi + X2S ). 

Consider the GOST-like cipher with plaintext and key space V, in which a round 
has the form 

Pk ^ Phi 

for the round keys k,h E V. 

Then the group generated by the round functions is 

r = {r,s), 

where T ={ Pk '■ k E V } is the set of S-translations on V. 

Assume that 

(1) the rotation extent r satisfies m < r < {S — l)m, and 

(2) the bricklayer transformation 7 is bijective (eguivalently, each S-box is bi- 
jective, or S is bijective). 

Then 

T = Mt{V). 

Here Alt(H) is the alternating group, consisting of the even permutations on 
the set V. We record the following 

Lemma 3.2. All permutations ofT are even, that is, T < Alt(l/). 

Proof. The group T of ffl-translations is generated by P(o,i) and P(i,o)- Both maps 
are even permutations, as each of them is the product of 2” cycles of length 2”. 

We now show that S is also an even permutation. E can be considered as the 
composition of two permutations of order 2 of V. The first permutation 

{Xi,X2) H- {X2,xi), 

which exchanges the coordinates, has the 2"' hxed points {x,x), for x E and 
thus it is the product of an even number 

‘ r \ 2 n _ on 

_ _ ^ _ c ^ n—l _ 

2 

of 2-cycles, as n > 1. The second permutation 

{ X2i Xi ) !-)• { X2 , Xi + X2S ) 

has also order 2, and has also 2” hxed points, which correspond to the value 
X 2 = 05'“^, and thus it is also even. □ 

Remark 3.3. The arguments of Section^^ could be extended to cover any rotation 
different from the identity. For the arguments of Subsection I5.gl to work with any 
rotation different from the identity, however, we would need to add extra hypotheses 
on the behaviour of the last S-box. Therefore we have preferred to stick to this 
setting, which reguires only two natural assumptions on the cipher. 
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Let us consider a cipher consisting of a fixed number of rounds as in Theorem 13. II 
with independent round keys. The group T' generated by (the transformations of) 
this cipher will be a normal subgroup of T. (See Lemma 13.41 below. 1 Since the 
alternating group acting on at least 5 letters is simple, it follows T' is also the 
alternating group on V. 

Lemma 3.4. Let F be a group generated by elements Qi, for some index set. 

Let N be a positive integer. 

Let T' be the subgroup of T generated by all products 

9ii9i2 • • • 9iN' 

Then T' is a normal subgroup ofF. 

Proof. We have to show that for all choices of generators g = giQ^g^^gi^, ■ ■ ■ ,9 in 
of T, the conjugate • • • 9^)9 lies in F'. 

We have 

9~^{9h9i2 • • • 9iN)9 = {9^)~^{9^~^9h){9i2 ■ ■ ■ 9iN9) e T'. 

□ 

Clearly our result for T has no immediate implication about the size of the 
smaller group Q of GOST. 


4 . Primitivity 

We recall a couple of basic properties of imprimitive groups. Let G be a hnite 
group acting transitively on a set V. 

Lemma 4.1. A block (of imprimitivity) is of the form vH, for some v , and 
some proper subgroup H of G which properly contains the stabiliser of v in G. 

Lemma 4.2. IfT is a transitive subgroup ofG, then a block for G is also a block 
forT. 

In our case, T is a transitive subgroup of T. We hrst record a trivial observa¬ 
tion, which is an immediate consequence of the fact that the map u i—)■ is an 
isomorphism (P, ffl) —)■ T. 

Lemma 4.3. The subgroups ofT are of the form 

{Pu-.ueU}, 

where U is a subgroup of (P, ffl). 

We obtain 

Lemma 4.4. IfF acting on V has a block system, then this consists of the cosets 
of a S-subgroup of V, that is, it is of the form 

{wmv.veV} 

where W is a non-trivial, proper subgroup of (P, ffl). 
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According to Lemma 14.41 to prove the primitivity of L we have to show that no 
subgroup of (V, ffl) is a block. Goursat has characterized |Gou89t Sections 11-12] 
the subgroups of the direct product of two groups in terms of suitable sections of 
the direct factors. (See also jPetOO].) 

Theorem 4.5 (Goursat’s Lemma). Let and (G 2 ,ffl) be two groups. There 

exists a bijection between 

(1) the set of all subgroups of the direct product Gi x G 2 , and 

(2) the set of all triples {A/B,G/D,'il>), where 

• A is a subgroup of Gi, 

• G is a subgroup of G 2 , 

• B is a normal subgroup of A, 

• D is a normal subgroup of G, and 

• ■. A/B ^ G/D is a group isomorphism. 

In this bijection, each subgroup of Gi x G 2 can be uniguely written as 

(4.1) U^ = {{a,c)eAxG-.{amB)tlj = cmD}. 

Let us consider the case when Gi = G 2 = Z 12 ™, with operation ffl. Then A= (2^) 
and G = (2*) for some s, t, with 0 < s,t < n. Assume hrst that s < t. Therefore 
there is an odd integer z > 1 such that 

(2"ffl5)V^ = z2^mD. 

Let us consider the endomorphism ip : x ^ z2^~^x of ^ 2 ^. Since 2^(p = z2^, we 
have that ip induces ip, that is, for a G A 

(4.2) (a ffl B)fj = a<p ffl H. 

If f < s, we have similarly that for the endomorphism p ■. x ^ z2^~''^x of 1^2^ one 
has 

(4.3) = cpmB. 

We claim 

Lemma 4.6. In the above notation, we have 

(4.4) U.^ = { {a, ap S d) : a & A, d E D } when s < t, 

(4.5) U.^ = { {cp ffl 6, c) : c E G,b E B } when t < s. 

Proof. We will prove only the hrst equality, the proof of the other being analogous. 

Note hrst that the right-hand side of fl4.4l) is contained in U.^, since for a E A 
and d E D we have 

(a ffl B)i/j = apS D = apS dS D, 
that is, (a, apS d) E U.^j,. 
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We now prove that is contained in the right-hand side of fl4.4p . If (a, c) G f/p 
we have, using fl4.2p 

a(pS D = {aS = c ffl D, 

so that c = a(p ffl d for some d & D. □ 

We now show that no subgroup U of 1^2^ x ^ 2 " is a block. By Lemma I4.41 we 
have to prove the following 

Lemma 4.7. There is no nontrivial, proper ^-subgroup U ofV, and (^ 1 ,^ 2 ) £ V 
such that 

(4.6) UT = Um{yi,V2). 

Proof. By Theorem 14.51 and Lemma [4.61 there is (p G End(Z 2 n) such that 

(4.7) U = { {a, aip S d) : a E A, d & D } 
for some A < ^ 2 ^ and D < Aip, or 

(4.8) U = {{apmb,c) :cEC,bE B} 
for some C < 7^2” and B < Cip. 

Suppose hrst that U satishes fl4.6p and fl4.7p . By the dehnition fl2.2p and fl2.3p 
of S, we have 

(a, a(p ffl d)S = {a(p ffl d, a -|- {acp ffl d)S). 

Setting a = d = 0, we see that (0, 0)S = (0, OS') so that we can take Ui = 0 and 

V 2 = OS. We have thus that for any a E A,d E D, there are x E A,y E D such 

that 

(4.9) (a(p ffl d, a -f- (a(p ffl d)S) = {x, xpi S y S OS') G ffl (0, OS'), 

that is, X = a<p ffl d and y ffl OS' = a -|- {aip ffl d)S ffl {aip ffl d)ip, and so 

(4.10) a + {aif ffl d)S ffl {acp ffl d)ip G OS' ffl H. 

Note that in the equation x = a(p ffl d, a and x range in A while d ranges in D. 
Since D < Aip, we obtain that Aip = A, and so s = t, and ip is an automorphism 
of ^ 2 ^. 

Setting a = 0 in fl4.10p . we see that DS C OS' ffl H. Since S is bijective, we have 
|D^| = \D\ = |0SfflD|, so that 

(4.11) L)^ = 0^fflL). 

When D = ^ 2 ", since (p is an automorphism of ^ 2 ^, we have also C = B = A = 
72-n. in Theorem 14.51 so that U = V, a trivial block. 

In Subsection 14.11 (see Corollary I4.15p we will show that for D < ^ 2 ^, the 
identity fl4.1ip can only hold when H = { 0 }. Then in Subsection 14.21 we deal with 
the case H = { 0 }, that is. 


U = { {a, aip) -. a E A} . 

















10 


R. ARAGONA, A. CARANTI, AND M. SALA 


It remains to deal with case fl4.8p . Recalling that 17S = 17 ffl (0,05'), we argue 
as in the hrst case and deduce that for c G C, 6 G -B, there are x G C, y G -B such 
that 

(c, {ap ffl 6 ) + cS) = {xip ffl ?/, X ffl OS'). 

Setting 1 / = 0, we obtain C = Cip^ and so p> is an automorphism. But then, by 
fl4.3p . we have \B\ = |i7| and so A = (7 and B = D. Setting a = cy) ffl 6 in fl4.8D . 
we obtain 

U = { (a, (a B b)Lp~^) : a G A, 6 G R } 

= { (a, aip~^ B bip~^) : a G A, 6 G R } 

= { (a, aip~^ B(i):aGA,(iGR}, 

so that we have reduced to the previous case. B 


4.1. The case DS = OS' B R, with R 7^ { 0 }. For v G F 2 , we denote by V[h^k] 
the string of bits consisting of the bits of v from the h-th bit to the k-th bit. (We 
start counting from 0.) For example if u = (0,1,1,0), then U[i^ 3 ] = (1,1,0). For 
any IF C F 2 we denote by W[h,k] the set {v[h,k] : u G IF}. 

According to Lemma 12.11 a subgroup R of 7^2” is of the form {2*^), for some 
0 < g < u. So the representation of each element of R = ( 2 '^) as an element of 
F2 = F2 X F2~^ is of the form 0 [o,q_i] || d[q^n-i] with d[q^n-i] G Recall that 

F” = F™ II ••• II F^. 

We shall use the following compact notation: 

(1) A white box 


denotes a subset of F™ of cardinality 1; 


(2) a ruled box 


denotes a subset of F™ of cardinality 1 < f < 2™; 

(3) a black box 



denotes the full set F™. 

We will say that a box has white, ruled or black type. 
We will also speak of 


(4) a riddle box 


? 


which is any of the above. 
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Definition 4.8. Let D be a subset of 

= VixV2X ■■■ xVs, 

where each subspace Vi has dimension m. We shall say that D has a type if 

D = {D nVi) X {D nV2) X ■ ■ ■ X {D n Vs). 

If D has a type, the type of D will be a sequence of 6 white, ruled or black boxes, 
where the i-th box represents the set D nVi. 

Remark 4.9. A subgroup D = (2'?) o/Z2r> has one of the following two types. 
(1) When g = 0 (mod m), the subgroup has type: 

q 


\ 



Here there are no ruled boxes, and the q-th bit occurs as the first bit of a 
black box. Note that there are no white boxes when q = 0 (the subgroup is 
the full group lL 2 n), and there are no black boxes when g = 2” (the subgroup 
zs {0 

(2) When g ^ 0 (mod m), there is a ruled box: 

q 


\ 



where the q-th bit is inside the ruled box. 


Definition 4.10. A subgroup 0/^2^ of the first type of Remark f. 9 will be called 
a whole subgroup. 


In the next Lemma we consider the behaviour of the bitwise sum with respect 
to types. 

Lemma 4.11. If D is a subset of 7^2^ having a type and v G ^ 2 ^, then D and 
V -\- D have the same type. 


Proof. Since D has a type, D = Di x ■ ■ ■ x Ds, where Di = D f] Vi for each 
z G {1,..., 5}. Writing v = (ui, • • • ,vs), clearly we have 

D -\-v = {Di + vi) X ■ ■ ■ X {Ds + Vs) 

and so D -\- V has a type. Since \Di\ = \Di -\- Vi\, the two types coincide. □ 

The behaviour of the modular sum ffl with respect to types is more complex and 
can be described easily only for subgroups, as in the following lemma. 
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Lemma 4.12. If D is a subgroup of1j2n andv G ^ 2 ^, then D andv'^D have the 
same type. 

Proof. The binary representation of an element d oi D = {2^) has the form 

d 1] II IJj 

where 0[o,g_i] is a zero vector of length q. Write v = r'[o,g-i] || 'y[g,n-i]- Then an 
element vSd of v S D can be written as 

vSd = ('^[ 0 , 9 - 1 ] II '<J[q,n-l]) H (0[0,g-l] 11 C?[g,n-1]) 

= (^[0,q-l] fflO[o,g_l]) II {V[g^n-1] 

”^[0,9—1] II 1] !])■ 

As d^^g^n-i] ranges in so does r>[t,n-i] H d[q^n-i]- Therefore D and v S D have 

the same type. □ 

Clearly a bricklayer transformations will map any set having a type to another 
set having the same type, since each S-box is a bijection. 

Lemma 4.13. If D is a subgroup of'L^n, then D, Dj and O 7 ffl H have the same 
type, for any bricklayer transformation 7 G Sym(l/). 

Moreover, if D is whole, then D'j = O 7 ffl H. 

Proof. Clearly D and Dj share the same type and by Lemma 14.121 this is the 
same type as O 7 ffl H. 

If is a whole snbgroup, then 

0[0,m— 1 ] II ■ ■ ■ II \ \ Dl 11 ' ' ' 11 

for some I < d, and thus 

L)y = O 71 11 ... 11 07 z_i 11 Dai 11 ■ ■ ■ 11 Ds'js- 

Since Di = F 2 m for any i G , 5}, D'y = O 7 ffl H. □ 

Lemma 4.14. If D is a proper, nontrivial subgroup of'L 2 ^, then DS and D have 
different types. 

Proof. By Lemma 14.131 we know that D and D'y have the same type. We will 
now prove that an application of R changes the type, which will yield the claim. 
According to Remark 14.91 we distinguish the following three possibilities for the 
type of D'y: 
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a) 


b) 


c) 


As in Definition 14.81 we count the boxes from 1 to 6. 

• Consider first case a), when we have both black and white boxes, and the 
riddle box can be of any type. 

If r = 2m, then the white box preceding the riddle box is sent by R onto 
the black box following the riddle box, a contradiction. 

Similarly, if r = (5 — l)m, the first white box is sent by R onto the last 
black box. For later use, we regard this as R~^ sending the last black box 
onto the first white box. 

Now note first that every m-bit box that is contained in the stretch of 
white boxes will be white, even if it is not aligned with one of the bricks 
Vj. This is simply because all bits in this stretch take a single value each. 
Similarly, every m-bit box that is contained in the stretch of black boxes 
will be black, even if it is not aligned with one of the bricks. This is because 
all bits in this stretch take two values each, independent of one another. 

To deal with the intermediate cases 2m < r < [6 — l)m, start with the 
case r = 2m, and shift the black box next to the riddle box right by one 
bit. As just noted, this will still be black, and for r = 2m -|- 1, the rotation 
R will take the white box next to the riddle box onto the shifted black box, 
a contradiction. 

We keep shifting the black box to the right one bit at a time, until we 
hit the rightmost black box. In this way we will have covered all rotations 
R, for 2m < r < ■dm, where <5 — -|- 1 is the position of the riddle box. 

To cover the remaining rotations, start with the last black box, which 
for r = 'dm is taken by the left rotation R~^ onto the white box adjacent 
to the riddle box. Shift the latter white box left by one bit. By the remark 
above, this will still be white, and the left rotation R~^ by r = ■dm -|- 1 bits 
will take the last black box onto it, a contradiction. 

Shifting bit by bit the white box to the left, until it overlaps completely 
the first white box, we see that for 2m < r < {6 — l)m, one or both of the 
following possibilities will have occurred. 
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(1) The rotation R sends a white box onto a black box, or over two ad¬ 
jacent black boxes. Since in a white box all bits take a single value, 
while in a black box each bit takes two values, independent of one 
another, this is a contradiction. 

(2) The left rotation R~^ sends a black box onto a white box, or over two 
adjacent white boxes. This is again a contradiction. 

If m < r < 2m, then R sends the last black box, either onto the first 
white box, or in any case to overlap the first white box in the last 2m—r > 0 
bits of the latter. Once more, this is a contradiction. 

• Consider now case b). Here we do not have black boxes and the ruled box 
is the rightmost one, at position S. Under the rotation to the right by r 
bits, the ruled box is moved onto a white box, or comes to overlap two 
adjacent white boxes. This implies that all bits of the ruled box take a 
single value each, so that the ruled box is a singleton, that is, it is also 
white, a contradiction. 

• Finally, in case c) we do not have white boxes, and the ruled box is the 
leftmost one. Applying a rotation to the right by r bits, the ruled box 
is moved onto a black box, or comes to overlap two adjacent black boxes. 
Since concatenation of boxes means concatenation of strings, and in a black 
box each bit takes two values, independent of one another, this would make 
the ruled box black, a contradiction. 

□ 

Corollary 4.15. If D {0} is a subgroup of 1,2^, then DS OS S D. 

Proof. It follows from Lemma [4.141 and Lemma [4.121 □ 

4.2. The diagonal case H = { 0 }. Here we deal with the case when a subgroup 
of the form 

U = { (a, a(p) : a G A } , 

for some 0 ^ A < 7^2^ and (p G Aut(Z 2 n), is a block. Since 

(a, a(p)S = {aip, a + apS), 
as in the discussion following Lemma 14.71 we have 

US = f/ffl (0,05). 

Therefore for each a ^ A there is a; G A such that 

{ap, a + apS) = (a:, xp ffl 05), 
so that X = ap, and substituting 
(4.12) = (a + av?5) B 05. 

Since p is an automorphism, we have 2'^~^p = 2"’“^. Now for any y it is easy to 
see that 

y + 2'^-^ = 
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as in both cases we are just changing the most signihcant bit of y. Therefore, 
setting a = 2”“^ e A in fl4.12p . we obtain 

2^-1 = 2 ^-^ ffl 2 ^^-^^ B 0 ^, 

or in other words 

= OS, 

contradicting the fact that S' is a bijection. 

5 . O’Nan-Scott 

We have shown in the previous section that the subgroup T of Sym(i/) is prim¬ 
itive. We may thus prove Theorem 13.II bv appealing to the O’Nan-Scott classihca- 
tion of primitive groups |LPS 88 ) . However, since by fl3.2p T contains the group T 
of translations, which is an abelian subgroup acting regularly on V, we are able to 
appeal to a particular case of the O’Nan-Scott classihcation, obtained by Li |Lin3l 
Theorem 1.1], which describes the primitive groups containing an abelian regular 
subgroup. In the particular case when T acts on a set whose order is a power of 
2, Li’s result can be stated as follows. 

Theorem 5.1 f |Lin3] . Theorem 1.1). Let T be a primitive group acting on a set 
V of cardinality 2^, with b > 1. Suppose T contains a regular abelian subgroup T. 
Then T is one of the following. 

(1) Affine, T < AGL(6,2). 

(2) Wreath product, that is 

with 2^ = S for some c and I > 1. Here T = Ti x ■ ■ ■ x Ti, with Ti < Ki 
and \Ti\ = c for each i, Ki = ... = Ki, O < Out(iLi) x • • • x Out{Ki), P 
permutes transitively the Ki, and either Ki = Sym(c) or Ki = Alt(c). 

(3) Almost simple, i.e., K <r < Aut(iL) for a nonabelian simple group K. 

Here the notation S.T denotes an extension of the group S by the group T. 
Case (2) is the case of the (wreath product in) product action. In dealing with 
this, we will be supplementing Li’s statement with the information from |LPS 88 ) . 

In the next three subsections we will examine the three cases of Theorem 15.11 
and show that only the almost simple case can hold, with P = Alt(H). 

Recall that in our case \V\ = 2^, with b = 2n, n = 5m with 5 > 4 and m >2. 
These conditions imply that 6 > 16 and n > 8. 

5.1. The afRne case. Suppose case (1) of Theorem 15.11 holds, that is, P < 
AGL( 2 ? 7 ,, 2 ). Then AGL(2n, 2) should contain the cyclic subgroup Z 2 n. 

It is well known that if p is a prime, then the exponent of the p-Sylow subgroup 
of GL(2?7 ,,p) is the smallest power p^ such that p^ > 2n. In our case the exponent 
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of the 2-Sylow subgroup of GL(2u, 2) is the smallest power 2^ > 2n, so that 
k > log 2 (n) + 1, and 

k = nog2(n) + 1] = riog2(n)l + 1. 

Since AGL(2n, 2) is the extension of an elementary abelian group by GL(2n, 2), 
the exponent of the 2-Sylow subgroup of AGL(2n, 2) can only increase by a factor 
of two with respect to that of GL(2n, 2). Therefore if there is an element of order 
2"' in AGL(2n, 2), then 

nog 2 (n)] + 2 > n, 
which fails for n > 5. (Recall that we have n > 8.) 

5.2. The wreath product case. This is case Ill(b) (wreath product in product 
action) of |LPS88| . Therefore 

V = WiX---xWi, 

with Ki acting transitively on the subsets hR, each of the latter having cardinality 
c > 1. Since Ti is a subgroup of order c of the ffl-translation group T = ^ 2 ^ x ^ 2 ^, 
and T = Ti X ■ • • X Ti, if follows that / = 2, c = 2"^, and Tj = 7j2n. By Lemma 14.31 
Ti = { pu ■ u E Ui}, where the Ui are subgroups of V. Since T acts regularly on 
V, we have PR = OKi = OR = R , so that the IR are subgroups of V. 

Since T = (T, T), T is contained in the normal subgroup Ki x K 2 , and P 
permutes the by conjugation, it follows that 

= K 2 . 

We have thus 

(5.1) PRiS = OATiS = OSATs = OET 2 = (0, OA) ffl PR 2 . 

(Here and in the following, recall fl2.2p and fl2.3p .l 
We now prove that 05.1 p cannot hold, with arguments similar to those of Sec¬ 
tion |l]2l 

We appeal once again to Goursat’s Lemma to describe the subgroups PRi, PR of 
V = X V^. Note that, in the notation of Theorem 14.51 the subgroup of the 
direct product contains B x D. Since PRi = ^ 2 ^ = PR are indecomposable, one 
of B and D must be trivial. In 04.41) of Lemma 14.61 D is the image of B under 
an endomorphism, and in 04. 5 p B is the image of D under an endomorphism. It 
follows that in the notation of Lemma 14.61 IT 1 . PR 2 are of one of the two forms 

{ (x, xcr) : a; e Z 2 n } , { (yr, y) : ?/ e Z 2 n } , 

where a, r G End(Z 2 n). There are four cases to consider. 

The hrst case is 


IRi = { {x, xa) : X e Zan } , PR 2 = { {y, yr) : y e Za^ } , 













GOST 


17 


for a,T E End(Z 2 »i). In this case fIS.ip states that for each y G ^ 2 ^ there is a 
unique x G Zi 2 n such that 

{xa, X + xaS) = (i/, yr ffl OS'). 

Therefore y = xa, and a G Aut(Z 2 n). Set x = 2”'“^. We get 

2 „-i = 2 ’^-VfflOS. 

If r is also an automorphism, we get 2"“^S' = OS', a contradiction to the fact that 
S is bijective. If r is a proper endomorphism, that is, an endomorphism which is 
not an automorphism, we get 

(5.2) 2’^-^ + 2”-^^ = OS. 

Regarding this as an identity in V^, it states that OS' and 2"'“^S' differ only in the 
last bit. Clearly 0 and 2”'“^ differ only in the last bit, so that O 7 and 2”“^7 differ 
only in their component in V^. But then, once one applies the right rotation R by 
r bits, with m < r < {6 — l)m, we have that the components in of OS' = O 7 R 
and 2”“^S' = 2 ”“^ 7 i? coincide, contradicting fl5.2p . 

The second case is 

ITi = { (x, xcr) : X G Z 2 n } , IT 2 = { {yr, 1 /) : ?/ G Z 2 n } , 

for a,T E End(Z 2 n). We thus have that for each x G 7^2” there is a unique y E ^ 2 ^ 
such that 

(xcr, X + xaS) = {yr, y ffl OS'). 

Setting X = 0, we see that r is an automorphism, and similarly a is an automor¬ 
phism. Setting X = 2”“^, we have also y = 2”“^, so that we get once more 

2 ^- 1 ^ = 0 ^. 

The third case is 

lEi = { (xa, x) : X G Z 2 » } , IE 2 = { (y, yr) : y E Z 2 n } , 

for a,T E End(Z 2 n). Thus we have that for each x G 72^, there is a unique 
y E Z 2 n-i such that 

(x, xa -\- xS) = {y, yr ffl OS'). 

Therefore x = y, and for each y G Z 2 n we have 

ya + yS = yr'^ OS'. 

If (T, r are both automorphisms, or both proper endomorphisms, setting y = 2"'“^ 
we get once more 2"“^S' = OS', a contradiction. If one of a, r is an automorphism, 
and the other is a proper endomorphism, then setting y = 2 "'“^ we get as above 

2"-^S + 2"-^ = OS, 

a contradiction. 

The fourth case is 

Wi = { (xcr, x) : X G Z 2 n } , IE 2 = { {yr, y) : y E 72n } , 
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for a,T E End(Z 2 n). We thus have that for each x G 7^2^ there is a unique y G ^ 2 ^ 
such that 

(x, xa + xS) = (i/r, y ffl OS'). 

It follows that r is an automorphism, and y = xr~^. Thus for each x G ^ 2 ^ one 
has 

xa + xS = XT~^ ffl OS, 

so this case reduces to the previous one. 

5.3. The almost simple case. In the almost simple case (3) of Theorem 15.11 
note that is a transitive subgroup of the primitive group T, so the intersection 
of a one-point stabiliser in T with is a proper subgroup of K of index 2^, with 
b > 16. By Theorem 1 and Section (3.3) in |Gur83] . there are two possibilities for 
K. 

The hrst possibility is for K to be the group PSLq,(/ 5), where in our case 

(i) (r - l)/(/9 - 1) = 2'; 

(ii) is a power vr® of a prime tt; 

(iii) a is a prime such that if a > 2 then vr = 1 (mod a). 

(i) implies that 13, and thus vr, are odd. Hence 

2^ = (/?" - l)/{/3 - 1) = + ... + (3 + l = a (mod 2) 

so that a = 2. Thus 

tt" = /3 = 2^ - 1 = (2” - 1)(2" + 1), 

where both factors of the last term are greater than 1, asn>l. Ife = l, this 
contradicts the fact that tt is a prime. If e > 1, then vr divides both 2” — 1 and 
2"' -|- 1, which contradicts the fact that these two numbers are coprime. 

The other possibility is for K to be the alternating group Alt(2^) of degree 2^. 
Since the automorphism group of Alt(2^) is Sym(2^), we obtain that T is either 
Alt(2^) or Sym(2^). In view of Lemma [3.21 we have T = Alt(H), as claimed. 
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